Facebook changed its privacy settings at the end of last year. The new settings give users greater choice in differentiating between which data to make publicly accessible, and which should be visible only to a restricted circle. However, many users fail to make use of this facility, so the default settings of the platform are then applicable. These have also been changed by Facebook. With the new default settings, more personal data than before (such as friend lists, profile photos or address) are publicly available for anyone to see. In order to prevent this, Facebook users must either manually alter the default settings or delete their profile details. Facebook did not obtain the consent of its users for the new default settings, and also failed to notify them beforehand.
For this reason, particularly in Germany but also recently in Switzerland, the data protection authorities have been paying close attention to Facebook and checking whether Facebook is complying with data protection laws.
The Data Protection Officer for the Federal State of Schleswig-Holstein asked Facebook to let him know what steps the company was taking to fulfil the requirements of the “Safe Harbor Framework” on the exchange of personal data between the EU and the USA. He is particularly interested to know how people who are not actually Facebook members are informed that their data may be processed if – for example – Facebook users synchronize the address lists in their smartphones (e.g. iPhone) with those in their Facebook account.
The data protection authorities also want to know whether Facebook uses data for commercial purposes and whether the users are informed of this. Facebook is also being asked to indicate whether it forwards information about users or their usage behaviour to third parties, to enable the latter to target their advertising to specific groups. Furthermore, the data protection authorities also wish to know how Facebook ensures that such third-party suppliers are adhering to the “Safe Harbor” principles.
Because Facebook recently opened its first German branch in Hamburg, the Hamburg Data Protection and Freedom of Information Officer will now be responsible for measures against Facebook.
The Federal Data Protection and Information Commissioner (FDPIC), Mr Thur, states that he is checking whether Facebook is operating in accordance with data protection legislation. The FDPIC is particularly interested in how Facebook deals with data of persons who are not actually Facebook users. Since this question is also being investigated by the German data protection authorities, Mr. Thur wishes to collaborate with them.
Facebook is willing to cooperate with the data protection authorities, but states that the overwhelming majority of users have made information such as profile pictures, name or the identity of friends, available to everyone anyway, and that it works closely with the data protection authorities in many countries and also endeavours to do so in Germany and Switzerland.
We will keep you informed about the investigations of the data protection authorities in Germany and Switzerland, and what the consequences will be for Facebook.